I have 2 searches:
search1
and search2
search 1 gives :
_time kpi1 kpi2 kpi3 kpi4
2016-01 493.26 636.06 56.322 1129.32
search 2 gives :
_time kpi1 kpi2 kpi3 kpi4
2017-01 193.26 44.06 34.322 239.32
I combine them with the append
(e.g. search 1 ... | append [ search2 ...]
)
_time kpi1 kpi2 kpi3 kpi4
2016 470.55 277.07 37.060 747.62
2017 193.26 44.06 34.322 239.32
but not the time format loses the month (e.g 2017-01 becomes 2017)
How do I get it to hold on to the month?
_time kpi1 kpi2 kpi3 kpi4
2016-01 470.55 277.07 37.060 747.62
2017-01 193.26 44.06 34.322 239.32
If you left _time in its original, epoch format in both searches, and each search is returning only a single record, then the interface may just be guessing that you only care about the year. Tell it what you want.
| eval _time=strftime(_time,"%Y-%m")
See somesoni2's answer below, which leaves the underlying field in epoch format and probably should be the general way you do this stuff.
If you left _time in its original, epoch format in both searches, and each search is returning only a single record, then the interface may just be guessing that you only care about the year. Tell it what you want.
| eval _time=strftime(_time,"%Y-%m")
See somesoni2's answer below, which leaves the underlying field in epoch format and probably should be the general way you do this stuff.
Or use the fieldformat command ( | fieldformat_time=strftime(_time,"%Y-%m")
).
tks @DalJeanis, that worked.
Awesome! Good to hear.
can you try to put _time into epoch on both searches and then change the format to YYYY-MM after the append to see if that works?